mirror of
https://github.com/openshift/community.okd.git
synced 2026-05-07 21:52:37 +00:00
620de63a26
* Update tests for newer version of openshift (#254)
* Update tests for newer version of openshift
More recent versions of ocp no longer automatically create tokens for
service accounts. This updates the tests to manually create the tokens.
* Update nginx template version
The old image was EOL and the deployment was failing to deploy.
* Fix nginx version for all tasks
* Add missing var
* Remove openshift inventory plugin (#252)
* Remove openshift inventory plugin
This removes the openshift inventory plugin which has been deprecated
since version 3.0.0. The tests have been updated to retain coverage of
the connection plugin, which is still supported.
* Update version in Makefile
* CI fixes
* Update version info in build scripts
* Set ansible remote directory
The security policy on the pod is preventing ansible from writing to /.
Set it to /tmp which should be writable.
* Bump the ansible-lint version to 25.1.2 (#255)
* Bump the ansible-lint version to 25.1.2
* Update changelogs/fragments/ansible-lint-update.yml
Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com>
---------
Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com>
* Add ansible-lint to tox linters (#258)
* Add ansible-lint to tox linters
* Bump black
* Black formatting
* fix linting
* prepare release 4.0.2 (#262) (#263)
(cherry picked from commit 55ccaf3394)
* Update k8s dependency upper bounds (#257)
---------
Co-authored-by: Mike Graves <mgraves@redhat.com>
Co-authored-by: GomathiselviS <gomathiselvi@gmail.com>
Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com>
Co-authored-by: Bianca Henderson <beeankha@gmail.com>
314 lines
8.5 KiB
YAML
314 lines
8.5 KiB
YAML
---
|
|
- block:
|
|
- set_fact:
|
|
test_sa: "clusterrole-sa"
|
|
test_ns: "clusterrole-ns"
|
|
test_tn: "clusterrole-tn"
|
|
|
|
- name: Ensure namespace
|
|
kubernetes.core.k8s:
|
|
kind: Namespace
|
|
name: "{{ test_ns }}"
|
|
|
|
- name: Get cluster information
|
|
kubernetes.core.k8s_cluster_info:
|
|
register: cluster_info
|
|
no_log: true
|
|
|
|
- set_fact:
|
|
cluster_host: "{{ cluster_info['connection']['host'] }}"
|
|
|
|
- name: Create Service account
|
|
kubernetes.core.k8s:
|
|
definition:
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: "{{ test_sa }}"
|
|
namespace: "{{ test_ns }}"
|
|
|
|
- name: Create SA token
|
|
kubernetes.core.k8s:
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: "{{ test_tn }}"
|
|
namespace: "{{ test_ns }}"
|
|
annotations:
|
|
kubernetes.io/service-account.name: "{{ test_sa }}"
|
|
type: kubernetes.io/service-account-token
|
|
|
|
- name: Get secret details
|
|
kubernetes.core.k8s_info:
|
|
kind: Secret
|
|
namespace: "{{ test_ns }}"
|
|
name: "{{ test_tn }}"
|
|
register: _secret
|
|
|
|
- set_fact:
|
|
api_token: "{{ _secret.resources[0]['data']['token'] | b64decode }}"
|
|
|
|
- name: list Node should failed (forbidden user)
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Node
|
|
register: error
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"nodes is forbidden: User" in error.msg'
|
|
|
|
- name: list Pod for all namespace should failed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
register: error
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"pods is forbidden: User" in error.msg'
|
|
|
|
- name: list Pod for test namespace should failed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
namespace: "{{ test_ns }}"
|
|
register: error
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"pods is forbidden: User" in error.msg'
|
|
|
|
- set_fact:
|
|
test_labels:
|
|
phase: dev
|
|
cluster_roles:
|
|
- name: pod-manager
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- list
|
|
api_version_binding: "authorization.openshift.io/v1"
|
|
- name: node-manager
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- list
|
|
api_version_binding: "rbac.authorization.k8s.io/v1"
|
|
|
|
- name: Create cluster roles
|
|
kubernetes.core.k8s:
|
|
definition:
|
|
kind: ClusterRole
|
|
apiVersion: "rbac.authorization.k8s.io/v1"
|
|
metadata:
|
|
name: "{{ item.name }}"
|
|
labels: "{{ test_labels }}"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: "{{ item.resources }}"
|
|
verbs: "{{ item.verbs }}"
|
|
with_items: '{{ cluster_roles }}'
|
|
|
|
- name: Create Role Binding (namespaced)
|
|
kubernetes.core.k8s:
|
|
definition:
|
|
kind: RoleBinding
|
|
apiVersion: "rbac.authorization.k8s.io/v1"
|
|
metadata:
|
|
name: "{{ cluster_roles[0].name }}-binding"
|
|
namespace: "{{ test_ns }}"
|
|
labels: "{{ test_labels }}"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: "{{ test_sa }}"
|
|
namespace: "{{ test_ns }}"
|
|
apiGroup: ""
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: "{{ cluster_roles[0].name }}"
|
|
apiGroup: ""
|
|
|
|
- name: list Pod for all namespace should failed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
register: error
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"pods is forbidden: User" in error.msg'
|
|
|
|
- name: list Pod for test namespace should succeed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
namespace: "{{ test_ns }}"
|
|
no_log: true
|
|
|
|
- name: Create Cluster role Binding
|
|
kubernetes.core.k8s:
|
|
definition:
|
|
kind: ClusterRoleBinding
|
|
apiVersion: "{{ item.api_version_binding }}"
|
|
metadata:
|
|
name: "{{ item.name }}-binding"
|
|
labels: "{{ test_labels }}"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: "{{ test_sa }}"
|
|
namespace: "{{ test_ns }}"
|
|
apiGroup: ""
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: "{{ item.name }}"
|
|
apiGroup: ""
|
|
with_items: "{{ cluster_roles }}"
|
|
|
|
- name: list Pod for all namespace should succeed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
no_log: true
|
|
|
|
- name: list Pod for test namespace should succeed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
namespace: "{{ test_ns }}"
|
|
no_log: true
|
|
|
|
- name: list Node using ServiceAccount
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Node
|
|
namespace: "{{ test_ns }}"
|
|
no_log: true
|
|
|
|
- name: Prune clusterroles (check mode)
|
|
community.okd.openshift_adm_prune_auth:
|
|
resource: clusterroles
|
|
label_selectors:
|
|
- phase=dev
|
|
register: check
|
|
check_mode: true
|
|
|
|
- name: validate clusterrole binding candidates for prune
|
|
assert:
|
|
that:
|
|
- 'item["name"]+"-binding" in check.cluster_role_binding'
|
|
- 'test_ns+"/"+cluster_roles[0].name+"-binding" in check.role_binding'
|
|
with_items: "{{ cluster_roles }}"
|
|
|
|
- name: Prune Cluster Role for managing Pod
|
|
community.okd.openshift_adm_prune_auth:
|
|
resource: clusterroles
|
|
name: "{{ cluster_roles[0].name }}"
|
|
|
|
- name: list Pod for all namespace should failed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
register: error
|
|
no_log: true
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"pods is forbidden: User" in error.msg'
|
|
|
|
- name: list Pod for test namespace should failed
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Pod
|
|
namespace: "{{ test_ns }}"
|
|
register: error
|
|
no_log: true
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"pods is forbidden: User" in error.msg'
|
|
|
|
- name: list Node using ServiceAccount
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Node
|
|
namespace: "{{ test_ns }}"
|
|
no_log: true
|
|
|
|
- name: Prune clusterroles (remaining)
|
|
community.okd.openshift_adm_prune_auth:
|
|
resource: clusterroles
|
|
label_selectors:
|
|
- phase=dev
|
|
|
|
- name: list Node using ServiceAccount should fail
|
|
kubernetes.core.k8s_info:
|
|
api_key: "{{ api_token }}"
|
|
host: "{{ cluster_host }}"
|
|
validate_certs: no
|
|
kind: Node
|
|
namespace: "{{ test_ns }}"
|
|
register: error
|
|
ignore_errors: true
|
|
|
|
- assert:
|
|
that:
|
|
- '"nodes is forbidden: User" in error.msg'
|
|
|
|
always:
|
|
- name: Ensure namespace is deleted
|
|
kubernetes.core.k8s:
|
|
state: absent
|
|
kind: Namespace
|
|
name: "{{ test_ns }}"
|
|
ignore_errors: true
|
|
|
|
- name: Delete ClusterRoleBinding
|
|
kubernetes.core.k8s:
|
|
kind: ClusterRoleBinding
|
|
api_version: "rbac.authorization.k8s.io/v1"
|
|
name: "{{ item.name }}-binding"
|
|
state: absent
|
|
ignore_errors: true
|
|
with_items: "{{ cluster_roles }}"
|
|
when: cluster_roles is defined
|
|
|
|
- name: Delete ClusterRole
|
|
kubernetes.core.k8s:
|
|
kind: ClusterRole
|
|
api_version: "rbac.authorization.k8s.io/v1"
|
|
name: "{{ item.name }}"
|
|
state: absent
|
|
ignore_errors: true
|
|
with_items: "{{ cluster_roles }}"
|
|
when: cluster_roles is defined
|